1. Identity and contact details of the data controller / DPO

2. What Information do we collect?

The I.M. Companies operate in various different markets including mainly Automotive and Property. As a generality, we hold basic personal details about our customers’ and prospective customers’ contact details and address (as well as sometimes telephone numbers, date of birth, gender and marital status) so that we can communicate with them when necessary. Very occasionally, we also hold details of our customers financial arrangements where there is a business-related need for us to do so. We also hold electronic copies of our correspondence sent to or received from our customers and any contractors and suppliers who work with us. This correspondence is primarily in email format. Our Automotive businesses hold extensive data relating to the vehicles owned by customers who purchased them from a member of our nationwide dealer networks. (“The Personal Data”)

3. How do we collect Personal Data?

We use a variety of sources including:-

information about you that you give to us by entering information via our websites or our social media pages or by corresponding with us by phone, email or otherwise. The information you give to us includes your name, contact details (such as phone number, email address and address), enquiry details and your opinion of our products;

we may automatically collect the following Personal Data: our web servers store as standard details of your browser and operating system, the website from which you visit our websites, the pages that you visit on our websites, the date of your visit, and, for security reasons, e.g. to identify attacks on our websites, the Internet protocol (IP) address assigned to you by your internet service. We collect some of this information using cookies – please see our Cookies Policy for further information;

we may also collect Personal Data which you allow to be shared that is part of your public profile on a third party social network;

we may obtain certain Personal Data about you from sources outside our business which may include our dealer networks or other third party companies, such as estate agents.

4. How will your information be used?

The I.M. Companies will only use the Personal Data for the benefit of its customers or for some other lawful purpose. For example, we may use your Personal Data:

for analysis, and profiling to inform our marketing strategy, and to enhance and personalise your customer or visitor experience;

for market research in order to continually improve the products and services that we and our authorised dealers and agents deliver to you;

to administer our websites and for internal operations, including troubleshooting, testing, statistical purposes;

for marketing activities e.g. to tailor marketing communications or send targeted marketing messages via social media and other third party platforms;

for client entertainment (including staff parties and dealer conference, or similar events);

to ask you to provide your opinion or participate in surveys about our vehicles, products services, and dealerships;

for the prevention of fraud and other criminal activities;

to undertake credit checks for finance;

to correspond and communicate with you;

to create a better understanding of you as a customer or visitor;

for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;

to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);

for the purposes of corporate restructure or reorganisation or sale of our business or assets;

for efficiency, accuracy or other improvements of our databases and systems e.g. by combining systems or consolidating records we or our group companies hold about you;

to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings; and

for general administration including managing your queries, complaints, or claims, and to send service messages to you.

In particular, it will never sell the Personal Data to a third party. We will only pass the Personal Data to third parties where there is a business driven need to do so and where we have an Article 28 Agreement in place with them.

5. Our legal basis for processing your data

Where we do not have your consent pursuit to Article 6 1. (a) of GDPR, we always have a legitimate interest pursuit to Article 6 1. (f). In addition, or alternatively from time to time we process Personal Data pursuit to lawful bases contained in other provisions of Article 6 such as the performance of a contractual obligation.

6. Who receives your information

As well as the I.M. Companies, we often share the Personal Data with third parties who carry out processing on our behalf pursuant to the terms of an Article 28 agreement. Such processing is necessary for the I.M. Companies to do their job properly and to service the needs of its customers throughout its various businesses. As a generality, such third parties fall into the following main categories:

Car Dealerships within our dealer networks

Roadside Assistance Providers (e.g. AA and RAC)

Holders of the Vehicle Safety Recall Databases (e.g. SMMT and SIMI)

Insurance Companies

Accident Management and Repair Service Providers

Estate Agents

Fraud Prevention Agencies

Credit References

Agents and Advisers who we use to help us carry out our business

7. Where your information is stored and how it is kept secure

On our secure computer systems and in some cases in hard form in our offices or in our onsite storage facility. We have invested in state of the art technical and organisational security measures to safeguard the Personal Data.

8. Transfers to third countries and safeguards in place

The I.M. Companies operate in the following countries

UK, Guernsey

Republic of Ireland

Sweden, Denmark, Finland, Estonia, Lithuania and Latvia

People’s Republic of China

Germany

United States

Australia

Generally, we are unlikely to transfer your Personal Data outside the EEA. We will only send your data outside of the European Economic Area (‘EEA’) to:

Follow your instructions.

Comply with a legal duty.

Work with our agents and advisers (including vehicle manufacturers) who we use to help run our businesses.

If we do transfer Personal Data to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:

Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA.

Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.

Transfer it to Organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA.

9. How long your information will be held

If we collect your Personal Data, the length of time we retain it is determined by a number of factors including the purpose for which we use that data and our obligations under other laws.

We do not retain Personal Data in an identifiable format for longer than is necessary.

We may need your Personal Data to establish, bring or defend legal claims, in which case we will retain your personal information for 7 years after the last occasion on which we have used your personal information in one of the ways specified in How will your information be used? in paragraph 4 above.

The only exceptions to this are where:

the law requires us to hold your Personal Data for a longer period, or delete it sooner;

you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted in this paragraph, or because we are required under the law (see further Erasing your Personal Data or restricting its processing in paragraph 12) below;

and in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.

10. Marketing

We may use your Personal Data to tell you about relevant products and offers. This is what we mean when we talk about ‘marketing’.

The Personal Data we have for you is made up of what you tell us, and data we collect when you buy one of our products from us or one of our dealers. We may also collect digital data relating to your web browsing and your interactions with our marketing emails.

We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

We can only use your Personal Data to send you marketing messages if we have either your consent or a ‘legitimate interest’. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right.

You can ask us to stop sending you marketing messages by contacting us at any time.

Whatever you choose, you’ll still receive details of product recalls, and other important information.

We may ask you to confirm or update your choices. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business.

If you change your mind you can update your choices at any time by contacting us or by utilising our Automotive Preference Centre.

11. COOKIES

‘Cookies’ are small pieces of information sent to your device and stored on its hard drive to allow our websites to recognise you when you visit. These help us understand how you use our websites so that we can customise our marketing for you. It may also save you from having to re-enter information when you return to our websites. We will however, only ever use cookies when we have your permission to do so.

For more information on how the I.M. Group companies use ‘cookies’ see our Cookie Policy by visiting our websites and clicking on the “Cookie Policy” link.

12. Your rights as a Data Subject

a) Your ‘data subject’ rights:
You have a number of rights in relation to your Personal Data under GDPR. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your Personal Data. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request.

b) Accessing your Personal Data
You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address in paragraph 1 of this privacy notice. We may not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.

c) Correcting and updating your Personal Data
The accuracy of your personal data is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you.

In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us.

d) Withdrawing your consent
Where we rely on your consent as the legal basis for processing your Personal Data, as set out under in paragraph 4 above, you may withdraw your consent at any time by contacting us using the details in paragraph 1 of the privacy notice.

e) Objecting to our use of your Personal Data and automated decisions made about you.
Where we rely on our legitimate business interests as the legal basis for processing your Personal Data for any purpose(s), as outlined under paragraph 5, you may object to us using your Personal Data for these purposes by emailing or writing to us at the address in paragraph 1 of this privacy notice. Except for the purposes for which we are sure we can continue to process your Personal Data, we will temporarily stop processing your Personal Data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.

You may object to us using your Personal Data for direct marketing purposes and we will automatically comply with your request.

f) Erasing your Personal Data or restricting its processing
In certain circumstances, you may ask for your Personal Data to be removed from our systems by emailing or writing to us at the address in paragraph 1 of this privacy notice. Unless there is a reason that the law allows us to use your Personal Data for longer, we will make reasonable efforts to comply with your request.

You may also ask us to restrict processing your Personal Data in the following situations:

• where you believe it is unlawful for us to do so,

• you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.

In these situations, we may only process your Personal Data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

g) Transferring your Personal Data in a structured data file
Where we rely on your consent as the legal basis for processing your Personal Data or need to process it in connection with your contract, as set out under paragraph 5 above, you may ask us to provide you with a copy of that information in a structured data file. We will endeavor to provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.

13. How to make a complaint to us and our supervisory authority

You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your Personal Data. Please visit the ICO’s website for further details.